<?php 
  session_start();
  include "library.php";

//If both the username and password fields have been fill out, try to login
print_header(1,105); 
if($_POST["user"] != "" && $_POST["pass"] != "") {
  $pwdb = connectSQLServer("wendlc_teamsci","sdd","");
  mysql_select_db("wendlc_TeamSci");
  $name = mysql_real_escape_string(stripslashes(htmlspecialchars($_POST["user"])), $pwdb);
  $pass = md5(stripslashes(htmlspecialchars($_POST["pass"])), "pw");		
  //Make a safe query
	
  $query = "SELECT * FROM Users WHERE UserID = '".$name."'";
  $q = dbquery($query);
  $results = mysql_fetch_object($q);
	
  //Check to see if the password in the db matches users input
  if($pass == $results->Password && $results->Approved == 1){
	
    //Clear any lingering data in the session cookie
	
    session_unset();
    $_SESSION["username"] = $name;
    $_SESSION["position"] = $results->Position;
    echo "<script>location.href='members.php'</script>";
  } else {

    //Determine why login failed
	 	
    $query = dbquery("SELECT * FROM Users WHERE UserID = '".mysql_real_escape_string(stripslashes(htmlspecialchars($_POST["user"])),$pwdb)."'");
    if(mysql_num_rows($query) == 0){
      echo 'User ID does not exist.<BR><BR>';
    } else {
      if($results->Password != $pass){
        echo 'The password did not match the User ID.<BR><BR>';
      } else {
        echo 'Account not yet approved.<BR><BR>';
      }
    }
  }
}

?>

<form method = "post">
<h2>Login</h2><BR><BR>
User ID: <input type = "text" name = "user" value = "" MAXLENGTH = 100/><br />
Password: <input type = "password" name = "pass" value = "" MAXLENGTH = 100/><br /><BR>
<input type = "submit" name ="Add" value = "Login"/>
</form>

<?php
print_footer();
?> 